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CIAIMS 

What is claimed is : 

1. A virus detection method for use in a computer 
system comprising at least one object that may potentially 
become infected with a computer virus, comprising steps of: 

providing a database comprised of stored information 
that is descriptive of a state of the at least one 
object as it existed at a point in the past; and 

for an object that is indicated as having a current 
state that is described by the stored information, 
programmatically examining the object for a presence 
of a computer virus while assuming that the current 
state of the object is the same as the state of the 
object as it existed at the point in the past, 

2. A method as in claim 1, wherein the stored 
information is descriptive at least in part of a number and 
location of macros within the object. 

3. A method as in claim 1, wherein the stored 
information is descriptive at least in part of a number and 
location of archived objects within the object , 

4. A method as in claim 1, wherein the stored 
information is descriptive at least in part of features of 
the object that serve as inputs to a neural network-based 
virus detection system, and wherein the step of 
programmatically examining the object comprises a step of 
operating the neural network-based virus detection system 
using the features as inputs. 
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5. A method as in claim 1, wherein the stored 
information is descriptive at least in part of whether at 
least one macro is present within the object. 

6. A method as in claim 1, wherein the stored 
information is descriptive at least in part of whether at 
least one archived object is present within the object. 

7. A method as in claim 1, wherein the stored 
information is descriptive at least in part of whether the 
object can possibly be infected with a virus according to 
predetermined criteria, and wherein the step of 
programmatically examining is executed only if the stored 
information indicates that the object may possibly be 
infected according to the predetermined criteria as 
compared to criteria that are currently in effect. 

8. A method as in claim 1, wherein if it is indicated 
that a current state of the object is not described by the 
stored information, the step of programmatically examining 
comprises an initial step of processing the object to 
ascertain the current state of the object, and storing 
information in the database that is descriptive of the 
current state of the object. 

9. A method as in claim 1, wherein the stored 
information comprises, for an object that contains in 
archived or combined form at least one other object, 
information descriptive of whether the at least one 
contained object is of a type that should be examined for 
computer viruses, and wherein the step of programmatically 
examining avoids re -determining and re -scanning the 
contained at least one object if the stored information 
indicates that the at least one contained object is not 
required to be scanned. 
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10- A method as in claim 1, wherein the stored 
information comprises, for an object that contains in 
archived or combined form at least one other object, 
information descriptive of at least one of a location, 
extent, or encoding-method of the at least one contained 
obj-ect, and wherein the step of programmatically examining 
is responsive to the stored information for reducing an 
amount of processing time required to extract the at least 
one contained object in order to examine the at least one 
contained object. 

11, A method as in claim 1, wherein the stored 
information comprises information descriptive of a location 
of an entry-point of the object, and wherein the step of 
programmatically examining uses the stored information to 
determine the entry-point of the object, if the database 
indicates that the object has not changed since the entry- 
point information was stored. 

12, A method as in claim 1, wherein the stored 
information comprises information descriptive of a 
structure of the object, and wherein the step of 
programmatically examining uses the stored information to 
determine the structure of the object, if the database 
indicates that the object has not changed since the 
structure information was stored. 

13, A method as in claim 1, wherein the stored 
information comprises information descriptive of at least 
one of a number, size, name, extent, or other attribute of 
macros or other units of active content in the object, and 
wherein the step of programmatically examining uses the 
stored information to determine at least one of the number, 
size, name, extent, or other attribute of macros or other 
units of active content in the object, if the database 
indicates that the object has not changed since the 
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information was stored. 

14. A method as in claim 1, wherein the step of 
programmatically examining includes a program- emulation 
step for executing the current object in a virtual 
environment, for collecting data resulting from the 
execution in the virtual environment, and for storing at 
least some of the results produced by the program- emulation 
step in the database, and wherein the step of 
programmatically examining uses the stored results rather 
than re-executing the program- emulation step, if the 
database indicates that the object has not changed since 
the results were stored. 

15. A virus detection component for use in a computer 
system that stores at least one object that may potentially 
become infected with a computer virus, comprising: 

a database comprised of stored information that is 
descriptive of a state of the at least one object as 
it existed at a point in the past; and 

an object examination unit bidirectionally coupled to 
said database and responsive to a determination that 
an object has a current state that is described by the 
stored information, for programmatically examining the 
object for a presence of a computer virus while using 
the stored information from said database. 

16. A virus detection component as in claim 15, 
wherein the stored information is descriptive at least in 
part of a number and location of macros within the object. 

17. A virus detection component as in claim 15, 
wherein the stored information is descriptive at least in 
part of a number and location of archived objects within 
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the object. 

18. A virus detection component as in claim 15, 
wherein the stored information is descriptive at least in 
part of features of the object that serve as inputs to a 
neural network-based virus detection system, and wherein 
said neural network-based virus detection system uses the 
features as inputs. 

19. A virus detection component as in claim 15, 
wherein the stored information is descriptive at least in 
part of whether at least one macro is present within the 
object - 

20. A virus detection component as in claim 15, 
wherein the stored information is descriptive at least in 
part of whether at least one archived object is present 
within the object. 

21. A virus detection component as in claim 15, 
wherein the stored information is descriptive at least in 
part of whether the object can possibly be infected with a 
virus according to predetermined criteria, and wherein said 
object examination unit programmatically examines said 
object only if the stored information indicates that the 
object may possibly be infected according to the 
predetermined criteria as compared to criteria that are 
currently in effect . 

22. A virus detection component as in claim 15, 
wherein if said determination indicates that a current 
state of the object is not described by the information 
stored in said database, said object examination unit first 
processes the object to ascertain the current state of the 
object, and stores information in said database that is 
descriptive of the current state of the object. 
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23. A virus detection component as in claim 15, 
wherein the stored information comprises, for an object 
that contains in archived or combined form at least one 
other object, information descriptive of whether the at 
least one contained object is of a type that should be 
examined for computer viruses, and wherein said object 
examination unit inhibits re-determining and re-scanning 
the contained at least one object if the stored information 
indicates that the at least one contained object is not 
required to be scanned. 

24. A virus detection component as in claim 15, 
wherein the stored information comprises, for an object 
that contains in archived or combined form at least one 
other object, information descriptive of at least one of a 
location, extent, or encoding-method of the at least one 
contained object, and wherein said object examination unit 
is responsive to the stored information for reducing an 
amount of processing time required to extract the at least 
one contained object in order to examine the at least one 
contained object. 

25. A virus detection component as in claim 15, 
wherein the stored information comprises information 
descriptive of a location of an entry-point of the object, 
and wherein said object examination unit is responsive to 
the stored information to determine the entry-point of the 
object, if the database indicates that the object has not 
changed since the entry-point information was stored. 

26. A virus detection component as in claim 15, 
wherein the stored information comprises information 
descriptive of a structure of the object, and wherein said 
object examination unit is responsive to the stored 
information for determining the structure of the object, if 
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the database indicates that the object has not changed 
since the structure information was stored. 

27. A virus detection component as in claim 15, 
wherein the stored information comprises information 
descriptive of at least one of a number, size, name, 
extent, or other attribute of macros or other units of 
active content in the object, and wherein said object 
examination unit is responsive to the stored information 
for determining at least one of the number, size, name, 
extent, or other attribute of macros or other units of 
active content in the object, if the database indicates 
that the object has not changed since the information was 
stored. 

28. A virxis detection component as in claim 15, and 
further comprising a program- emulation unit for executing 
the current object in a virtual environment, for collecting 
data resulting from the execution in the virtual 
environment, and for storing at least some of the results 
produced by the program- emulation unit in said database, 
and wherein said object examination unit is responsive to 
the stored results for using said stored results, and for 
inhibiting the operation of said program emulation unit, if 
the database indicates that the object has not changed 
since the results were stored. 

29. A computer program embodied on a computer- 
readable medium for providing a virus detection program 
subsystem, comprising: 

a code segment for at least maintaining a database 
that stores information that is descriptive of a state 
of at least one object as the object existed at a 
point in the past; and 
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an object examination code segment that is responsive 
to a determination that the object has a current state 
that is described by the stored information in said 
database, for programmatically examining the object 
for a presence of a computer virus while using the 
stored information from said database. 

30. A computer program as in claim 29, wherein said 
computer readable medium further stores a list comprised of 
information that is descriptive of at least one of known 
viruses and of known classes of viruses, said list being 
used by said object examination code segment when 
programmatically examining the object for the presence of 
a computer virus . 

31. A computer program as in claim 29, wherein said 
computer readable medium further stores a neural network- 
based virus detection code segment, wherein said database 
further stores information descriptive of features of the 
object that serve as inputs to said neural network-based 
virus detection code segment, and wherein said neural 
network-based virus detection code segment uses the 
features as inputs . 

32. A computer program as in claim 29, wherein said 
computer readable medium further stores a program-emulation 
code segment for executing objects in a virtual 
environment, for collecting data resulting from the 
execution in the virtual environment, and for storing at 
least some of the results in said database, and wherein 
said object examination unit code segment is responsive to 
the stored results for using said stored results, and for 
inhibiting the operation of said program emulation unit 
code segment, if said database indicates that the object 
has not changed since the results were stored. 
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33. A computer program embodied on a computer- 
readable medium, the computer program being capable of 
executing a method for use in a computer system that 
comprises at least one object that may potentially become 
infected with a computer virus, the method executed by the 
computer program comprising steps of: 

maintaining a database that is comprised of stored 
information that is descriptive of a state of the at 
least one object as it existed at a point in the past; 
and 

for an object that the database indicates has a 
current state that is described by the stored 
information, programmat ically examining the object for 
a presence of a computer virus while assuming that the 
current state of the object is the same as the state 
of the object as it existed at the point in the past. 

34. A computer program as in claim 33, wherein the 
stored information is descriptive at least in part of a 
number and location of macros within the object. 

35. A computer program as in claim 33, wherein the 
stored information is descriptive at least in part of a 
number and location of archived objects within the object, 

36. A computer program as in claim 33, wherein the 
computer program implements or has access to a neural 
network-based virus detection system, wherein the stored 
information is descriptive at least in part of features of 
the object that serve as inputs to the neural network-based 
virus detection system, and wherein the step of 
programmat ically examining the object comprises a step of 
operating the neural network-based virus detection system 
using the features as inputs. 
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37. A computer program as in claim 33, wherein for an 
object that the database indicates has a current state that 
is not described by the stored information, the step of 
programmatically examining comprises an initial step of 
operating the stored program to process the object to 
ascertain the current state of the object, and storing 
information in the database that is descriptive of the 
current state of the object. 



